How does ransomware work
A ransomware attack consists of three phases: infection, hijack, and extorsion. When successful, it is fast, lasting only a few minutes from the start of the infection until the loss of access to the system/files and consequent ransom request.
CryptoLocker, TorrentLocker, CryptoWall, Fusob, UltraCrypter, and Locky are a few of the most well-known names of ransomware.
Infection by ransomware
Infection by ransomware depends on the execution of malicious code. For this occur, perpetrators resort to several strategies. The most common are by email, sending messages with malicious attachments, faux software updates, exploring security flaws in older versions of software and out-of-date operating systems.
Digital Hijacking
More recent versions of ransomware, known as crypto-ransomware, act in two ways: they block the infected system (blockers), making it unusable, or they encrypt files (cryptors), making it impossible to open or execute them.
Ransomware resorts to efficient cryptographic methods to block the system or block access to documents, presentations, images, sound files, and videos, among other types of common files. In most ransomware cases it is impossible to restore access to infected files without the key, which only the perpetrators possess.
When infected by ransomware, the system displays a message (appearing in a new window or changing the desktop background) with the procedure for paying the ransom and removing the block.
Digital Extortion
When a computer, server, or any other device are infected, a ransom payment is demanded, typically in Bitcoins, in order to retrieve a password that allows you to regain access to your system or affected files. Despite what the perpetrators may affirm, there is no guarantee that you will regain access to your system or files.
How to protect yourself from ransomware
Prevention is the best way to protect yourself from ransomware.
If you suspect that you’ve been infected with ransomware, immediately disconnect your device from the network.
Backup regularly. In addition to ransomware, systems are also exposed to other types of malware (viruses, trojans, spyware, etc.). It’s important to have backups in order to easily and quickly restore files. It’s equally important to test backups, to verify if they are being properly done and that they can correctly restored.
Storing a recent backup on a unit where files cannot be changed. Ransomware effects files that have write permission, including files that are stored on cloud folders (Dropbox, Google Drive, and One Drive, for instance), and external USB units, among other types of storage formats.
Using software that allows you to neutralize threats in real time, for instance, blocking access to websites that contain malicious code and analyzing downloaded files.
Don’t activate macros for files you’ve received via email. Malicious attachments are one of the main sources of ransomware infection. Perpetrators try to persuade users to activate macros so that they can be infected by ransomware.
Don’t click on links or visit websites from suspicious email messages. Typically, attackers incentivize users to make an impulsive action, such as opening a document or clicking on a link that may result in infection. To achieve this, they send email messages, posing as governmental agencies (for instance, the fiscal authorities), public safety (police or information services), or know companies (Paypal, Fedex, or DHL). The messages’ content is typically urgent and/or intimidating, demanding that immediate action from the user, such as opening a document or visiting a website to solve a false situation. Usually, to conduct these actions, the user has to install or execute some kind of software (which is later revealed to be malicious).
Show filename extensions. Some files that contain malicious code add extensions to the filenames, making them seem like inoffensive file extensions. By activating this option, you can easily view the type of file that you’re trying to open (for example: “invoice.pdf” becomes “invoice.pdf.exe”, in the event you’ve been sent an executable file).
Don’t use administrator/root permissions if unnecessary. A user without administrator permissions is sufficient to execute most of the device’s usual tasks. As such, even if the malicious code is executed, there is a chance of not having the necessary permissions to make damaging changes to the system.
Restricting write permissions on file servers whenever possible.
Installing the latest security updates for the operating system and other installed software.
Educate users regarding the threat and define a procedure for when they suspect of an email, pop-up, file, or program.
The best solution is to be prepared for a ransomware attack.
How to remove ransomware
If you’ve been infected by ransomware, get in touch with IT security experts for advice on how you should proceed.
The recovery of systems and files infected by ransomware is very unlikely if you don’t have any security backups. Many people, out of despair, end up paying the ransom to regain access to their files. Meanwhile, there is no guarantee that the decryption key will be sent, that the attackers will not demand further payments, or that the system has not been affected by more than one version of ransomware. The quickest (and most economic) way of recovering files infected with ransomware is to restore a security backup.
There are free tools that can help you recover encrypted files without having to pay the ransom. These tools only work with known versions, for which a decryption tool has been previously developed. There are still no tools that function for all types of ransomware.
It’s essential to remove the malware from the system before restoring the files. Otherwise, the system/files will be infected once again. For this, you can use an antivirus or some other protection program. (Please note: this step does not restore access to files, but merely guarantees that the system is free from malicious code that encrypts the files).
“The main piece of advice is to not pay the ransom. By sending money to cybercriminals, you are confirming that the ransomware model works, in addition to not guaranteeing that you’ll recover the necessary decryption code to unblock your files.”
— No More Ransom
Free ransomware removal tools
On the “No More Ransom” website, you’ll find decryption tools for some versions of ransomware (Coinvault, WildFire, Chimera, Teslacrypt, Jigsaw, among others). This website results from an initiative of the of the High Technology Crime Unit of the Dutch Police, from the European Cybercrime Centre (EC3) of the Europol and from two cybersecurity companies, with the goal of helping victims of ransomware to recover their encrypted files without having to pay criminals.
Decryption tools No More Ransom
Protect your files from ransomware
Ransomware is the largest virtual threat of 2017, massively affecting companies as well as individuals. Don’t become a victim of digital extortion. Protect your files, protect your business.
Eurotux is an expert in IT security, with a vast experience in the protection of technological systems and infrastructures. Get in touch to learn about the most effective and suitable ransomware protection solutions for your business.